Dunkin’ Donuts will pay you if your data leaked in the past cyberattack. How to claim your money?

New York authorities and Dunkin’ Brands, which owns the Dunkin’ Donuts chain, reached an agreement to resolve the lawsuit related to the company’s data breach in 2015. Part of the agreement states that affected customers must be notified, in addition to resetting user passwords and refunds to compensate for any unauthorized use of the compromised data.

Dunkin’ Donuts will also need to implement enhanced security mechanisms to prevent a similar incident from occurring in the future and cover a $650,000 fine. Letitia James, the city’s attorney general, said: “For years the company hid the truth and did not protect its customers, many of them suffered the consequences.”  

Apparently it all began in early 2015, when the company’s customer information was compromised by credential-filling attacks. These attacks lasted until 2018, representing thousands of affected accounts.  

By accessing these accounts, threat actors were able to use or sell assets stored on point cards and extract sensitive information. New York authorities mention that the company was alerted in a timely way about the 20,000 compromised accounts, although Dunkin’ Donuts did nothing to stop the intrusion.

Dunkin’ Donuts also did not notify customers of unauthorized access to their accounts or reset password passwords to avoid further problems, the Attorney General’s Office says.

To find out the status of their Dunkin’ Donuts accounts, customers have 90 days to call the company’s customer service phone, or to send an email to customerservice@dunkinbrands.com; the company will send a copy of the account log to detect any signs of unauthorized activity.